Aussie Security Research Hacks Music Charts, Puts His Own 'Songs' Up Top

from the nothing-to-it dept

It's been known for quite some time that the music charts are subject to being easily gamed. In fact, one of the reasons why the major labels are "the major labels" was they figured out quite early on how to best game the system. Still, it appears that one security researcher down under took a somewhat different route to "topping the charts" down in Australia. As sent in by G Thompson, a guy by the name Peter Fillmore made himself into quite a musician in a very short period of time. Forget "practice, practice, practice." Fillmore went a different route towards learning music and composing and recording his "songs."

Rather than spend years practising an instrument and writing songs, he compiled music from clunky electronic MIDI files and later by applying algorithms that squashed together public domain audio.

He then posted the tracks to a variety of different platforms via CDBaby, apparently including Spotify, Rdio, MOG (from Telstra), Pandora, iTunes and some others -- and then the fun part:

He then purchased three Amazon compute instances and wrote a simple bash script to simulate three listeners playing his songs 24 hours a day for a month.

This move apparently pushed the music up the charts on various systems -- hitting the very top of the Rdio chart for Australia. In response, he released a second album, and saw it jump to the second spot (behind his first album) within a matter of weeks. Any human listeners, not surprisingly, were not particularly happy, and he got flooded with bad reviews, but it didn't much matter. His favorite comment: "I call it troll music." There was also one that said: "it might sound good on cocaine like when it was made, but this isn't music." He did get a single iTunes purchase, though.

MOG and Spotify actually appeared to suspect something was up and cancelled certain accounts. Spotify killed the accounts he had set up to listen (but not the actual music accounts) though he's not entirely sure why -- though he suspects a few things that made it obvious they weren't legit (he didn't try that hard to cover his tracks). With MOG, he suspects it was because almost no one uses the service, so someone probably noticed the anomaly situation pretty quick. Rdio, however, kept the albums up at the top, and even sent out promotional emails to people pushing his albums.

At this point, he created a third album, called A Kim Jong Christmas, which was all just actual public domain music, so that if anyone listened to it, they wouldn't immediately realize it as "noise." As that one shot up the charts as well, users were confused, with one commenting: "There ain't no party like the Korean Worker's Party. But seriously -- what the hell is this doing on High Rotation?"

Of course, this was all done for the purpose of research. He was interested in a variety of things, including the fraud-checking on various music services, how royalties on these services work (he's got some data there as well) and various other things about how to make this kind of setup work. He also noted that when his accounts were suspended, almost no info was given, and he points out that this could also lead to a way for someone to attack a rival musician to get their works taken off of these services without warning or explanation.

The other question that I have is if Fillmore has opened himself up to any legal risk. It looks like he made about $1,000 in royalties, so I could potentially see some companies arguing it was a type of fraud. If he were in the US, I could even see some crazy CFAA charges thrown at him, because that's the sort of crap that happens in the US under the CFAA. Hopefully calmer minds prevail and this is viewed in the spirit it was done: as a research project which popped out some rather interesting results (and some really bad music).

Proving that promotion is the biggest part.

That's why Mike's notions about the distribution systems are hooey. If you can get noticed any way at all -- and have a listenable product, deliberately NOT the case here -- then you've found the secret to Lady Gaga and Miley Cyrus (and latter was born rich, too).

I've several times advised Mike to focus on how his artistic readers can promote themselves and get noticed, but that too is ignored, not least because Mike never has practical advice (see his Step 2: ??????); he never really states anything positive, just puts stuff out to try and gin up comments. -- So here's mine, and now the fanboy-trolls can do their little bits of ad hom.If you support pure capitalism, you must somehow justify Miley Cyrus getting millions while productive laborers live in poverty.

"It's been known for quite some time that the music charts are subject to being easily gamed. In fact, one of the reasons why the major labels are "the major labels" was they figured out quite early on how to best game the system."

Pretty much. I've always looked with interest specifically at the differences between charts in the UK (where only purchases are considered, albeit often only those from pre-approved outlets) and the US (where things like radio airplay are taken into account). The UK charts always seemed to cover a wider range of styles and genres, especially during times when certain genres of music were considered niche or non-commercial.

It's complicated, but I dare say that this is an indication that control of the listening and advertising outlets lead to a more homogenised market, which is easier to control, hence the majors' dominance pre-internet.

"In the end, he apparently spent a grand total of about $30, but brought in decent royalties."

I've love to get an actual figure here. The article's a little vague, both on the actual number of plays vs. royalties and where each payment originated (service, location, etc.), and on how these compare to normal payouts especially in the cases of half-played tracks.

"The other question that I have is if Fillmore has opened himself up to any legal risk."

Probably, unless he can fit under the classification of an exempt security researcher, etc. Unless the article is implying something that's not factual, he defrauded a system, resulting not only in financial gain to him but (as I understand the way these systems work) probably less royalties paid to actual musicians.

It's great as an exercise and a warning that these things can be defrauded but it's no different to clickfraud or any other scams out there in execution. But if he received actual payment as a direct result of his actions, he may well be on shaky ground in the current climate. As we've seen many times, the fact that he's not located in the US may not shield him from prosecution under their laws.

Re: Proving that promotion is the biggest part.

You bring up ‘Step 2’ as if it should act as a one-size-fits-all solution, but that doesn’t exist any more. And it never really has when you think about it — after all, how many dirt-poor musicians put in just as many hours of practice and playing in front of live audiences as the guys who made billions by lucking into a record label deal?

You want a ‘catch-all’ Step 2, though? Fine, here you go.

Step 2: Do the Fucking Work.

There’s your golden bullet. It doesn’t matter what form the work takes — you have to do it. You won’t make money by sitting on your ass and doing nothing.

You can write beautiful music, craft the best novel ever, or paint a masterpiece that would put the masters of art to shame — but if you don’t do the fucking work and find ways to promote that music/novel/painting and your skill in making it, you’ll never make a goddamn dime.

It doesn’t matter what you do or how you do it (so long as you don’t break the law), but you gotta do the fucking work. 99% of artists won’t have major media conglomerates backing them with thousands of dollars in promotional materials; they have to do the fucking work themselves. And if they don’t do the fucking work, they’ll resign themselves to a lifetime of obscurity and (likely) poverty.

If you want an actual, practical, catch-all solution to promotional issues or whatever…do the fucking work and figure it out for yourself.

Re: Proving that promotion is the biggest part.

"That's why Mike's notions about the distribution systems are hooey."

Only in your fantasy world are distribution and promotion not linked. Do you also want to claim that the fact that other chart systems have been gamed means that all music distribution systems are hooey? Because that's the only way you make sense.

"If you can get noticed any way at all -- and have a listenable product, deliberately NOT the case here -- then you've found the secret to Lady Gaga and Miley Cyrus (and latter was born rich, too)."

There's so many examples detailed on this very site that prove you wrong, that you would merely have to read it to know why. If only you would do so before typing.

But your constant obsession with the idea that becoming a millionaire in the mainstream pop market is the only valid form of success is duly noted. Like your obsession with the $100 million movie, it's a bunch of bullshit but it helps prove how dishonest you are without expending much thought.

"I've several times advised Mike to focus on how his artistic readers can promote themselves and get noticed"

Such as, by utilising different business models and services that focus on interaction with fans? Like innovative marketing and distribution techniques? Like the ones you obsessively attack without so much as reading the articles?

"If you support pure capitalism, you must somehow justify Miley Cyrus getting millions while productive laborers live in poverty."

...and who is this person who supports such a thing? Not the people you argue with here, I'll bet.

Re: Re: Proving that promotion is the biggest part.

"You bring up ‘Step 2’ as if it should act as a one-size-fits-all solution, but that doesn’t exist any more"

...and actually never has. The major label system has never worked for everybody, and often doesn't work for either consumer or artist. The history of music is strewn with classic albums that were never heard and careers ruined on a marketer's whim.

It just happened to be the most efficient and successful way of doing things for a couple of decades. But, the market realities that system was based on have changed. There's more than one "step 2", a great many of which are detailed on this very site for those not as obsessed with trolling it as a certain "I've admitted to not bothering to read past the headlines" up there.

So, THREE whole fans listening to your music 24/7 is enough to become #1? Seriously? I'm sure that tens of thousands listen to music by other musicians every day on those websites, so what kind of screwed up algorithms do they have?

That reminds me of a funny SMBC comic ages ago with the logic that algorithm must use. It was about a super computer designed to maximize happiness of the human race. The super computer decided the way to make the human race the most happy was to find one guy who was really easy to impress and make happy, Carl, and make the rest of the human race do all sorts of crazy things to make him happy, including having everyone give Carl their entire life savings.

Re:

Re:

"I'm sure that tens of thousands listen to music by other musicians every day on those websites, so what kind of screwed up algorithms do they have?"

Well, first of all there's a question that nobody on the side whining about these services has actually been able to answer to any degree of satisfaction - in terms of royalties, what difference does it make if a DJ plays a track to thousand people one time or a single person listens a thousand times?

The same applies here. If the charts only track individual listens and no other metric, then these tracks may actually have been the most popular. The fact that security wasn't applied to the incoming data is an issue, but GIGO and that's not necessarily an algorithm at issue. If this guy's song was actually "listened" to more times than any other on a particular day, then the algorithm is fine even if the data it's working on is suspect.

The second is that the article's light on technical issues. Other sources I've heard have stated that the Amazon instances could have been used to utilise various accounts, IP addresses, etc. (which would in fact have been necessary for region-restricted services like Pandora). I'm thinking there may be more in the story than what's detailed in these couple of blog posts.

Re: Re:

Thanks! I had seen that in the linked article, but there's clearly more to it. It's an interesting ballpark total, but it doesn't really tell the whole story.

For example, it seems that this was $1,000 between all the services - is this US$ or AUS$ or a mixture of both (I'm assuming US as Pandora's a US only service, but who knows)? How was the "nearly a million hits" split between services like Spotify who cancelled early and others who didn't? How did the royalty rates differ between services? Did he actually receive all the royalties, or is there more withheld that have been further income if this h'd not been caught (not the scope of the experiment, I know)?

I'm not seeing this kind of detail, but hopefully it will be forthcoming. I'd love it if this kind of story had the full figures to help counteract the usual FUD that accompanies accusations in other stories. I'm sure there's a lot of interesting info on the backend that non-industry folk like myself would find useful to respond to the "Spotify are thieves because they don't pay the same as CDs" kind of rubbish.

Re: Re: Re:

Yeah, if you watch the presentation that the guy did, he appears to show some numbers, but they're impossible to see in the video... I was hoping he'd release the whole presentation, but I couldn't see it...

Re: Re: Re:

Fraud

To suggest this was a harmless experiment is naive. The streaming music providers that pay out the royalties pay many times more in cost to get the $1,000 in royalties to the fraud. Not to mention all the time and resource cost to mitigate the gamed transactions and clean up (for both the steaming music provider and the music aggregation provider). Companies that provide streaming music are not rolling in cash, they are still loosing money. The funds stolen, directly impact the employees trying to make streaming music better. This is not an experiment, this is 100% theft and malicious disruption. Law enforcement (particularly the Secret Service) is getting much better at being able to build cases against this sort of fraud.

Re: Re: Re: Proving that promotion is the biggest part.

You missed this part:

And it never really has when you think about it — after all, how many dirt-poor musicians put in just as many hours of practice and playing in front of live audiences as the guys who made billions by lucking into a record label deal?

Re:

He hasn't broken Australian Computer, Contract, Transaction, or Corporate laws here in any way... though a tort (or two) could be used against him by anyone with a major axe to grind (though luckily in Aust the loser pays ALL fees so there would have to be highly exigent circumstances for a civil claim to occur)

If the USG is stupid enough to try to bring criminal charges against him then that is there problem since he would NEVER be extradited under current system. Though it would be advisable that he doesn't travel to the US or it's territories in the foreseeable future.

Re: Re: Fraud

I can see his main point, in that there was expense caused by his fraud (since many of these services share royalties from a pot, royalties were redirected from actual artists; the admin costs both in assigning those funds and in catching and shutting down the fraud where that happened). He caused a non-zero dollar amount of costs through his actions. But, yeah, he definitely overplayed his hand there.